iOS app flagged for malware, and why you shouldn't worry

An iOS game called Simply Find It, when run through BitDefender’s virus scanner, reportedly returns a positive result for Trojan.JS.iframe.BKD. This has drawn into question the effectiveness of Apple’s App Store approval process. Is this something that Apple should have caught, and is it something App Store customers should be worried about?

Macworld’s Lex Friedman explains what BitDefender encountered: Simply Find It's IPA -- iPhone application archive -- file contains an mp3 audio file which contains an HTML iframe tag in it which points to x.asom.cn. Normally an iframe might be used on a website to embed a frame that loads another page. These iframe tags can also be abused to try and load malicious code in a webpage without being noticed by users. Currently if you try to access x.asom.cn, the page is not available. Using the archive.org Wayback Machine, you can see the last time that the site hosted any content was back in July of 2010. At that time, the Chinese page just had a message telling users that its free URL forwarding service had been discontinued. Going back further in the site’s history, we can see that it used to redirect to a handful of different URLs, primarily http://218.90.221.222/jc/img/love/new.htm, which if you go to now, is a 404. It's anybody’s guess what this site ever actually hosted.

Microsoft’s Malware Protection Center page provides some additional details about the virus that BitDefender detected. The symptoms section of the page explains that antivirus alerts can be triggered by iframes in webpages, which are only a symptom of the virus, not an actual detection that the virus itself is present. This helps explain why BitDefender detected this virus in the IPA, as well as why other virus scanners didn’t detect it; it’s not actually the virus.

So we have an app, that has an mp3, that has an iframe, that loads a webpage that does not exist. I think it’s safe to say that this app poses no actual threat to anybody currently. But why did this slip through Apple’s review process? Shouldn’t they have detected this?

No. Any app can load a webpage. A webpage can’t (usually) download and run code. Exploits have been found in iOS before that allowed remote code execution from a webpage and these have been used in the past for jailbreaking. This type of exploit is fairly rare though, and no public exploits of this nature are currently known. Additionally, each iOS app runs in its own sandbox, confined to its own sort of play area. If a new exploit was discovered which allowed code execution from a webpage, it would likely require a second exploit that allowed it to break out of its sandbox in order to gain access to other data on the device. There’s no reason to believe that the Simply Find It game does or will do this.

While it’s certainly strange to see an app from that App Store return a positive result in a virus scanner, looking a little closer at things here, there’s no cause for alarm and no real reason to think Apple missed something that they should have caught. If anything, this app might suggest that this mp3 was once on a computer that had a virus that modified it. Apple’s App Store review process has always been a mystery. Apps with the ability to run unsigned code have made it into the App Store before and I’m sure they will again.

For today, however, there's no threat and no cause for additional alarm. For today, the App Store is as safe as it was yesterday.

iOS app flagged for malware, and why you shouldn't worry

For the sake of argument, lets say an app gets approved for the App Store, then a shady developer makes changes on the back end to serve malicious code. What can that really do on iOS? Is there a way for a web-based exploit to break out of sandbox?

Is there a way for it to gain access to personal information like contacts without user opt-in?

Part of the rationale for iOS lacking inter-app communication and some of the other features of Android is that it offers higher security, so even if something like the above mentioned app had actual malware, how big a problem would it be?

Of course there is -- unless you trust that both Apple's sandbox is bug-free and impregnable, and that and their review process is 100% foolproof.

- There have been remote exploits that do not require any more user intervention than hitting a remote link.

- Sandboxing prevents applications from using official channels to access other areas. Malware, almost by definition, is willing to try other means.

I'm not about to argue that iOS is some malware-infested cesspool -- clearly, it is not. But the person who thinks there is not "any reason to worry" because some other party (in this case Apple) handles all their security concerns is the person who gets compromised.